In-Reply-To: <20030804002946.4431.qmail@www.securityfocus.com> You've got to be kidding me? >The vendor hasn't been notified because of their >handling of previous vulnerabilties I found in Invision >Board I am extremely responsible with regards to security and in most cases I've had a fix ready and available within 30 minutes of receiving note of a vulnerability. I take a dim view of posting exact details of vulnerabilities before people have a chance to patch their board and I take a dim view of needlessly alarming people with almost trivial matters, such as this. If you find a vulnerability in a program and you post details of how to exploit it without notifying the vendor then that is very irresponsible indeed.
